CVE-2026-7594

Source
https://cve.org/CVERecord?id=CVE-2026-7594
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7594.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7594
Published
2026-05-01T20:30:12.018Z
Modified
2026-07-15T01:49:01.489935363Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Flux159 mcp-game-asset-gen MCP index.ts image_to_3d_async path traversal
Details

A vulnerability was detected in Flux159 mcp-game-asset-gen 0.1.0. Affected is the function imageto3d_async of the file src/index.ts of the component MCP Interface. The manipulation of the argument statusFile results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7594.json"
}
References

Affected packages

Git / github.com/flux159/mcp-game-asset-gen

Affected ranges

Type
GIT
Repo
https://github.com/flux159/mcp-game-asset-gen
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "last_affected": "0.1.0"
        }
    ]
}

Affected versions

0.*
0.1.0
v0.*
v0.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7594.json"